[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: some reality about iptables, please

On Tue, 2003-08-26 at 21:12, Bret Comstock Waldow wrote:
> I can find all the sites and advice I want about how to form iptables
> rules, but I can't find any decent discussion of how to enable the damn
> things.
> I get the idea that an iptables firewall is set up by actually running a
> bunch of "iptables -options" lines, presumably from a script.
> But where do I put the script(s)?
> There's a mechanism set up in /etc/default/iptables.  I quote from the
> file:
> # A: I was pretty much hounded into providing it. I do not like it.
> #    Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> #    scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> #    init.d script -- no need to even name it iptables.  Use ferm,
> #    ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> #    firewall configuration tools available. Do not use the init.d
> #    script.
> ...
> # Q: How do I get started?
> # A: (Did I mention "do not use it" already? Oh well.)
> For crissake!  Can anyone point me at some sensible discussion of how
> the hell to go about putting firewall rules in place?  I've got a
> laptop, usually on a cable modem, but sometimes using dial-up.
> I know generally about the /etc/init.d/rcX.d runlevel mechanism.  Now I
> need a sensible discussion of when and HOW to run what sorts of
> iptables-rules-containing scripts so I can figure out how to protect my
> system.  Please don't just tell me about "runlevels" - I know they exist
> already.
> The Debian Security manual is useless.  It only give examples of a few
> iptables rules, says that's not enough, and speaks not at all (that I've
> found yet) about how to implement the damn things.
> Someone somewhere speaks to issue of the actual plumbing to implement
> iptables.  Can anyone point me?
you can read /etc/init.d/iptables comments for info.
here is the short version:
#clear out rules
iptables -F
#run script to load iptables rules into memory
sh iptables.sh
# make required directory? 
mkdir /var/lib/iptables
#save active rule set
/etc/init.d/iptables save active
#flush rules -- inactive rule set
iptables -F
#save inactive rules set
/etc/init.d/iptables save inactive
# enjoy rules  on next reboot or /etc/init.d/iptables start

Reply to: